Homeland Security Department officials hailed the Continuous Diagnostics and Mitigation (CDM) program in August 2013 when it and the General Services Administration awarded the $6 billion contract as a network security program that would provide a “standard measure of protection across government within three years.”

Here we are nearly four years later and CDM is a lot harder than initially thought and most agencies remain in Phase 1 of the program. The challenges can be traced to a host of reasons, from poor agency planning because they didn’t know all the devices and end-points on their networks, to a contract vehicle that wasn’t flexible enough, to bid protests that have delayed nearly every award.

But before anyone calls CDM a failure or even a lost opportunity, GSA and DHS deserve a ton of credit for doing something few agencies publicly do — recognize the deficiencies of their program and developing a plan to fix them going forward.